TotalCIO

As 2014 draws to a close, security is at the forefront of everyone’s minds. The most recent unsettling security incident is North Korea’s alleged involvement in the Sony data breach and the implications of that type of cyber attack for other private companies. How should companies prepare for security in 2015?

“The bad guys are going to grow,” Pete Lindstrom, IDC research director of security products, said during the company’s recent 2015 security prediction webinar. “They’re going to adapt and innovate, and so we have to really mirror and match that and hopefully get ahead of them in some ways moving forward.”

An attacker can innovate faster than a regulation, warned Lindstrom. “We have to keep in mind that these folks are nimble and they’re going to get around any kind of… enforced controls that are out there,” he said.

Here are four areas of security outlined in the IDC webinar that IT leaders should consider for 2015:

Risk-based budgeting

The first step is to figure out where to invest your money. Companies don’t have enough money to do it all and protect everything, so some analysis is needed to figure out where to strategically invest.

“You need to put this whole concept of risk mitigation on the top of your agenda,” Charles Kolodgy, IDC research vice president of security products, said. “Many more organizations will have to start looking at their security spending by risk because they just don’t have enough money… to protect [everything].”

Kolodgy suggests looking into analytics and software that may be able to help your company get a better understanding of how best to deal with security investments. IT needs to be able to quickly adjust to emerging threats, he added. And old strategic investments are becoming liabilities.

“You need to have a team of security professionals and I think that team should also include a business person… so that they can look at metrics to help with your decision-making,” Kolodgy said.

Lindstrom added: “We’re all better off as we get our arms around understanding economic impacts and probabilities… and get away from this age-old, fear, uncertainty, and doubt kind of approach to securing our enterprise.”

Threat intelligence

“[Threat intelligence is] not about just generating data as much as it is about figuring out how to get to that intelligence side of things,” Lindstrom said.

In order to successfully utilize threat intelligence, Kolodgy said companies will need to carefully vet vendors in order to make sure you’re getting full visibility.

“The problem is that… there’s a wide range of providers that are both established security vendors, established telecommunications vendors, and a lot of new guys,” Kolodgy said. He advises companies to focus on whether vendors are creating their own intelligence or just amalgamating intelligence. In other words, “are they a secondary or primary source of information?”

Kolodgy said that it is critical for a company to know this as they build out the usage of threat intelligence “because you could have duplication.”

Regardless, having some sort of program in place is key because the software that vendors provide allows companies to “pick that needle out of the hay stack,” Lindstrom said. It will be able to tell you that you’re at risk under X circumstances from X person and X type of resources need to be protected more.

Kolodgy also suggests automating threat intelligence because there is a shortage of IT security talent.

Data encryption

“We need to manage the data a lot better than we do it because it is a potential liability,” Kolodgy said. Especially because everyone and everything is moving to the cloud.

“It’s in a lot of respects a little disappointing that we’re at the stage we’re in given the nature and sensitivity of data. And [it is] certainly worth pointing out that this also includes the new and improved cloud-based file transfer services and the like from our data stuff,” Lindstrom said. But like it or not, there is no avoiding the cloud at this stage in the game, he said.

Lindstrom suggests “[tethering] your [cryptographic] key into your environment.” He added that “maintaining them under your control is going to be crucial to your long term strategic success around encrypting data and deploying it in the cloud.”

“You [also] need to have policies,” he said. It is important for a company to determine what specific categories of information require confidentiality. Once those categories are pin-pointed, policies must be put in place.

But in order to do all of this successfully, Kolodgy said it has to be a team effort between the business side, the compliance auditors, and the security team.

Security SaaS

Kolodgy points out that because attackers can innovate much faster than companies can right now, it’s important to leverage SaaS, and the agility that comes with it, to compete with attackers and be one step ahead of them.

“You’re not going to have time to roll out a product and train people and hire people,” Kolodgy said.

Either way, companies don’t really have a choice anymore.

“If our data centers are moving to the cloud, our security has got to move with it,” Lindstrom said. He advises that companies leverage outsourced managed security services because if you’re not “you’re probably missing out on the real great insight that they can gain from attacks going on all over the place.”

It’s official: The FBI linked the Sony Pictures hack back to North Korea today, as Associate Editor Fran Sales reports in this week’s Searchlight News Roundup. You can read the full FBI statement here.

The destruction and leaking of sensitive corporate data by a group calling itself the Guardians of Peace was in retaliation for The Interview, a movie that depicts an assassination plot against North Korean leader Kim Jong Un.

In a press conference following the FBI’s announcement, President Barack Obama made more news, saying that he thought Sony’s decision to cancel the Dec. 25 release was a mistake.

“Sony’s a corporation; it suffered significant damage; there were threats against its employees; I am sympathetic to the concerns that they faced. Having said all that, yes, I think they made a mistake,” Obama said.

The president said he wished Sony had discussed the issue with him first, because he would have advised the company to not let a dictator in another country bully them into pulling what was clearly a satirical movie.

“We cannot have a society in which some dictator someplace can start imposing censorship here in the United States. Because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like, or news reports that they don’t like. Or, even worse, imagine if producers and distributors and others start engaging in self-censorship, because they don’t want to offend the sensibilities of somebody whose sensibilities probably need to be offended,” Obama said.

In other news this week, Yahoo CEO Marissa Mayer tries to restore the company to its former tech glory and Apple Pay may soon face a worthy rival in Samsung; and Sony is working on a clip-on wearable that may give Google Glass a run for its money. Check out these items and more in this week’s Searchlight.

The International Institute for Analytics (IIA), a research firm based in Portland, Ore., recently discussed ten predictions for 2015. Some were conventional — Prediction #7: Hadoop will go mainstream. Some were thought-provoking — Prediction #2: Storytelling will be the hot new skill in analytics. Should CIOs consider hiring journalists to do that job?

And one stood out because it seemed, well, ominous — Prediction #9: Analytics, machine learning, cognitive computing will increasingly take over the jobs of knowledge workers. Tom Davenport, co-founder of the IIA, professor of management and information technology at Babson College and analytics thought leader, said — and has been saying for years now — that business leaders need to be preparing for this now. They should consider how to “prepare knowledge workers to augment the work of smart machines rather than be automated by them,” he said.

Automation is already happening. Journalists, lawyers and even teachers are standing by while parts of their job descriptions are being taken over by things like predictive coding, knowledge-based curriculum design or automated earnings reports. While the technology is “still quite fragmented,” Davenport said during the IIA 2015 predictions webinar, “there’s probably not a knowledge worker problem out there that can’t be addressed by some system.”

There are benefits to the advancing tech. In many cases, as fellow IIA faculty member Robert Morison pointed out, “what we’re doing is better equipping people, and if we could do that at scale, it could make an enormous difference,” he said.

Jeremy TerBush, vice president of analytics at Wyndham Worldwide Corp. explained in the call that his team developed internal pricing systems that rely on algorithms to project tomorrow’s vacation rental prices. The cognitive computing program has not had an impact on the company’s workforce. “We’ve seen it hasn’t automated away any jobs,” he said. “It’s just allowed us to be more focused on us managing our inventory better.”

The system works about 80% of the time. “But 20% of the time, the prices are overridden by our revenue management team, who is closer to the market and picks up on things the algorithms are missing,” he said.

Automation can provide efficiency, help businesses make better decisions and save on costs. But (cue the sounds of dismay) there is the other side of the coin businesses may not be considering: What are they at risk for losing? Will automation simply deepen the divide between haves and have-nots?

Said Davenport: “I suspect the people who you need to do that are your most experienced and expert pricing analysts — and not the ones fresh out of school. Because, as we were saying, oftentimes the entry level work can be done by computers, it’s the hard cases humans need to override or augment.”

The question is, said Morison, “How does someone become an experienced pricer when all of entry level work is done by machines? Who learns to be the experienced expert?”

Data breaches have unfortunately become the norm. But the now infamous Sony breach has opened the eyes of the IT world to the fact that we haven’t seen the end of what cyber attacks have in store for enterprises.

Breaches can be more than just exposing sensitive information; as the Sony hack shows, they can be personally malicious. The attack, which used “wiper” malware to steal and delete corporate data, sought to harm Sony employees, Associate Site Editor Fran Sales reports. The attack was also highly sophisticated, according to experts — sophisticated enough to get by the security defenses of 90% of the private industry, according to the FBI cyber division’s Joseph Demarest Jr.

In addition to laying out how the Sony hack was different from other corporate attacks, Sales provides tips on how to protect yourself and your company from breaches like this. Good luck.

In other news this week, IBM and Apple have released 10 of the anticipated 100 apps in the IBM MobileFirst suite; Microsoft now accepts virtual currency, The Washington Post details the demise of Pirate Bay, and more in this week’s Searchlight.

A fundamental piece of advice that CIO Fumbi Chima gives to anyone who asks for professional help: Learn how to take risks. “You have to come out of your comfort zone,” she said during the recent Gartner Symposium CIO panel. She speaks from experience. The CIO at Walmart Asia, Chima didn’t start her career in IT — or retail, or Asia, for that matter.

Chima was first an accountant before wading into management consulting and then IT, working for companies like TXU Energy and American Express. The leap from accounting to IT meant she “had to teach myself how to be a business architect, to understand the physical and logical architecture — what it is and how do I map my business skills back to technology,” she said.

Five years ago, she took another leap of faith and changed industries, leaving financial services for retail. Of course, she was not just learning the retail business at any company, but at Walmart, one of the world’s largest retailers.

When considering a leap of faith — or when looking for a general change in career, Chima said to answer this question: What is the unique value you’ll bring to the position? Understanding that she had only a sliver of retail experience compared to some of her Walmart colleagues with 20-plus years in the industry, she thought strategically about what value she could add to the group and company, as well as what best practices from previous roles she could borrow “to help move the business further.”

It’s a kind of intellectual curiosity, what Chima called “being a student of innovation,” that continues to push her today. Earlier this year, she took another leap of faith when she accepted a position and moved her family to Hong Kong. No doubt, she’ll soon find a way to lend her unique value to that new community.

You may not have heard of the startup Paydiant, but chances are good that you’ll use its technology pretty soon. Paydiant
has built the technology behind the mobile payments platform underlying CurrentC, the mobile pay app that is competing against Apple Pay for leadership in the mobile payment space.

Paydiant, started in 2010 in the proverbial basement (in this case, co-founder’s Kevin Laracey’s), has partnered with the Merchant Customer Exchange, or MCX, the consortium formed by many of the biggest retail brands in the US including Target, Walmart, CVS, Best Buy and Rite Aid to develop CurrentC.

When I visited Paydiant to film for my Startup Spotlight series, I asked co-founder Chris Gardner how Paydiant got from a small, scrappy company to where it is today.

In addition to no sleep, Gardner said a large part of the Boston-based startup’s success is due to hiring the right people. Here are the highlights:

Install an executive team well-versed in startups

While startups are often seen as the sole province of young people, experience does matter, according to Gardner.

“As you can tell I’m an old guy. We’re not 20-somethings in a garage and so I think that helps,” Gardner said. “On the executive team, a lot of us have been doing really only startups. Speaking just for me, I’ve only kind of done… technology startups in the Boston area.”

In fact, this is Gardner’s third payments startup. In his opinion, the collective startup experience among the executives at Paydiant really contributed to the success of the company. So does having leadership with expertise in multiple areas, said Paydiant CFO Melinda Smith, who has been with the company since its founding.

“When you’re early in a startup company as a CFO you need to wear a lot of hats; it’s not just about finance” she said.”[Financial expertise] is an important component when you’re reporting to investors that have invested in the company, but you also need to have experience in human resources and some of the legal aspects of the company.”

Like Gardner, Smith’s background is replete with startup experience, Paydiant being her fourth startup.

Develop an instinct for who will fit in and advance

In addition to finding experienced people to fill the executive positions, Gardner said the hardest part of building a company is hiring the right people for the other levels of the company.

“It’s probably our single most important job,” Gardner said. “And you have to be right [about the person you’re hiring], you know, 95% of the time.”

Gardner said over the years the company has developed an instinct for hiring people who will be good team members and who will be able to “grow and scale with the company,” including taking on management roles.

“Find those diamonds in the rough,” Gardner said.

It’s not just about the ‘ultimate nerds’

At Paydiant, that doesn’t just mean finding smart, tech-savvy people, Gardner said. In addition to having those qualities, Paydiant employees also need to be articulate and represent the company well in front of customers and partners, Gardner said.

“Some people just look to go out and hire the most brilliant software developers they possibly can. We actually place a very high value not just on… technical chops, [making] the bits and bytes fit together, but also on people that can talk,” Gardner said.

And this is one aspect of Paydiant that sets them apart, Gardner said. “We very much value the articulate, charismatic types not just the ultimate nerds.”

Market research firm IDC presented its 2015 predictions for the IoT this week, and my first reaction was, “This one’s a doozy!” To put it another way: CIOs and CISOs, prepare for a massive flood of data and information from a slew of sensorized things, along with a lot more responsibility for IT professionals.

According to IDC, here are three important points you need to know about the IoT in 2015.

IoT and the cloud

IDC predicts that within the next five years, over 90% of all IoT data will be processed by cloud service providers. “We believe IoT data will be created from a wide range of sources and data formats,” said Vernon Turner, senior vice president at IDC. “As such, the better IoT solutions that have greater business values will have to integrate and process data from different repositories. Cloud computing providers will be better suited to this activity, rather than IT attempting to run it on premise or in a private enterprise environment.”

This will drive IT organizations to establish robust chargeback services, Turner said. This is because people will only want to pay for appropriate “data blending” services — data blending, in IDC parlance, meaning, taking the data, finding the value, and using it to benefit the business. Turner said establishing these chargeback services will become more important because IT will now be responsible for the original IoT data sources, as well as the “data blending” done by the cloud computing providers.

“The data blending process is not a simple aggregation or mash-up of data sources but rather an intelligent rules-based process that will require careful IT management and support,” Turner said.

Turner suggests IT organizations invest in automation services to manage real-time interactions, and to make sure there is a chief compliance officer involved because these interactions will require a heightened level of governance.

IoT and security

IDC predicts that within two years, 90% of all IT networks will have an IoT-based security breach. Though IDC says many of these will be considered “inconveniences,” CISOs will be forced to adopt new IoT security policies.

“The big challenges for security officers will be security and ensuring the privacy of information shared across so many so-called ‘smart devices’, whether they be televisions, automobiles, appliances,” Turner said. And because users may want access to all this data, it will create a huge compliance challenge, he added.

In addition, creating technology architectures around the IoT while ensuring platform inter-operability will be a challenge. Turner said data transfer through the corporate network must be encrypted, multiple methods of authenticating persons and devices must be implemented, and IT should be required to identify security and privacy-related technologies to support industry standards.

So, CISOs, “need to think of a strong governance framework to tackle data leakage and privacy issues,” Turner said. “With so much data being created and handed off at many more touch points than before, this framework needs to be endorsed by the CEO.”

CISOs should also collaborate with their peers in order to get greater insights and situational awareness into areas vulnerable to breaches. Turner predicts this may be hard for CISOs to do but “the IoT will define a new level of openness where everything and everyone will be transparent,” he said.

Though it may be tough to do, Turner warns that those organizations or individuals who don’t accept transparency will be “almost impossible” to trust.

IoT and network capacity

IDC predicts that within three years, 50% of IT networks will go from having excess capacity to handle the addition of IoT devices, to being network-constrained — 10% of sites will be overwhelmed by the data from these devices.

“This seems hard to believe but when you think of the billions of endpoints pinging or streaming data through networks, capacity is going to be challenged,” Carrie MacGillivray, program vice president at IDC, said.

MacGillivray predicts that by 2020, 10,000 devices will be connected to corporate networks every minute –not every day or week but every 60 seconds.

“And therefore there will be the potential to impact that overall performance of the network if it’s not properly managed,” MacGillivray said. “Enterprise IT is going to be given the mandate to protect company data and its… end points.”

This will be a huge job for IT but it seems, right now, IT organizations are more concerned about the devices being brought into the enterprise, like tablets and smartphones and even some PCs, MacGillivray said. They are not paying attention to the potential IoT connections or the data that the company is supporting and they need to be.

But all that will change.

“We expect that by 2018 IoT network management is going to become a top five initiative along with business analytics, cloud computing and mobility projects,” MacGillivray said. “There’s going to be a need to support sensor-created content and outcomes.”

MacGillivray said that IT will have to set network access policies for these “things” or endpoints; there will need to be an access control and automation system in place to make sure the IT team isn’t overwhelmed, and, she said, it’s important to work to get IT a seat at the table early in the IoT planning process, before buying decisions are made.

Nowadays, businesses have to adopt and adapt to new technologies that might give them a competitive edge — and CIOs are in the position to help. But how do you know which new technology will pay off for the business and which will peter out — or worse, inflict damage.

One way for CIOs to get in the technology innovation/disruption game, according to a new report out by Deloitte, is to start thinking like a venture capitalist. As Associate Site Editor Fran Sales reports in this week’s Searchlight column, venture capitalists accept that some investments will be successful and others will fail — and hedge their bets accordingly. Of course, that’s a tall order for CIOs whose job, after all, is to ensure the reliability of IT operations.

Need some encouragement? Read about how Charles Weston, the former CIO of Bloomin’ Brands, took a flyer on cloud early on despite his teams’ concerns.

In other news this week, is Cyber Monday the new Black Friday? Also, read about the rise of the chief data officer, how Apple is under fire for deleting music that some of its iPod users downloaded from rivals, and more in this week’s Searchlight.

Not all key performance indicators (KPIs) are effective. Some are barely understood by the people instrumental to the outcome being measured. To help employees understand the meaning of KPIs, Dorvin Lively, CFO at Planet Fitness, developed a Financials 101 class.

In addition to financial measures, the club also uses a number of non-financial KPIs, said Lively — the wear and tear on machines being one. At fitness clubs, the treadmill closest to the locker room, for example, typically gets used most, so machines are rotated based on usage minutes.

Outside competition has an impact on business results, so Lively measures the lead time on new clubs coming into a market by researching pending and signed leases.

Customer satisfaction, of course, is another critical non-financial KPI, Lively said. The clubs recently added a gadget that asks patrons whether they are happy or not. “It’s wireless so it can be put anywhere in the club — at the front desk, in the restroom,” Lively said.

The rating, transmitted in real time, is taken seriously. “We incent our club managers on only three things: Say hello, say goodbye, and keep it clean,” Lively said. At one of the clubs that was consistently scoring on the low end of happy, the company tutored front desk managers on their obligatory hellos and goodbyes.

“We came up with a script,” Lively said. Instead of just hello, clients were greeted by name when they checked in. The front desk manager was instructed to tell the client to “have a good workout” on the way in and to “have a good day” on the way out.

Pretty basic stuff, but according to Lively, the customer happiness score at this club quickly went from the 70th percentile to the 90th percentile. “So, there is a metric that is not financial but is using today’s technology to see how a club is performing pre and post changes,” he said.

After visiting startups for the past few months to gather footage for my Startup Spotlight series, a few cultural commonalities stand out to me: a fun and relaxed atmosphere, the willingness to take a risk and passion.

Granted, when I visit and film people, the camera could have something to do with the level of excitement employees display. Still, all four startups faking it in the same way? I don’t buy it.

Besides, as a Millennial, I know that the drive to find a job that you’re passionate about, that allows you try something new and different, and, heck, even save the world, is a real thing. Naïve? Maybe.

But I see that drive in the people — young and old — who work at these startups. That’s why I think startup culture works and why larger companies want to implement it into their own culture.

One of the things startups seem to do well: Find a balance between hard work and fun.

I’ve walked around startup offices and seen employees talking on personal cellphones, lounging on bean bag chairs, riding a scooter, and even playing ping pong and foosball — all during “work hours.” I’ve also seen people bounce around on yoga balls right in front of the CEO. It didn’t faze him.

Sometimes I wonder how they get their work done. And my hypothesis is this: You how when you’re working and it becomes hard to concentrate? For most of us, it would look bad to take a 30-minute break and stare into space or surf Facebook or play games on your phone. Startups, on the other hand, seem to embrace the idea that inspiration and creativity come when they come. You can’t force it. But when lightning strikes, people work their butts off. If they’ve hit a roadblock, they take a break to get the creative juices flowing again.

Startups are also unafraid to experiment. They are willing to put everything on the line and fail. Because who knows? The idea or project could just work, and could be revolutionary. But they’re also willing to cut their losses either.

Patrick Surry, chief data scientist at the startup Hopper, a search engine that helps people get the best deals on flights, explained it best. For our CIO and IT readers, it’s worth quoting him in full:

“A lot of what we do at Hopper is figure out what the right way to position and deliver the solution to the problem is. It’s challenging — we build stuff, we throw stuff away, and then we build new stuff.

“It requires a certain kind of attitude I think among the developers. You have stuff you’ve worked on for three months and then we decide to throw it away and do something different. That can be frustrating for some people. And I think for others that’s part of [the attraction].

“I think a lot of companies get bogged down because you’ve created something that sort of works and you have to continue to maintain it forever. I think as a startup you have the luxury of saying ‘Hey, that doesn’t work. Let’s try something else, both from a kind of business point of view but also from an infrastructure point of view.”

Startups may have more freedom to experiment than established companies, but the attitude is worth modeling at any company hoping to keep up in a rapidly evolving market.

The willingness to take risks and employee passion are the traits that stand out at the startups I’ve visited. Whether those traits result in a viable business, time will tell. In the meantime, those working at startups are excited about what they’re doing. They believe they are working toward changing the world. (And maybe they are.)

And I think that’s what dictates the startup culture. It’s not the bean bags, foosball, ping pong, or freedom to goof around. It’s that employees believe they’re working to make a difference.

Alan Berrey, CEO and founder of Scratch Wireless, a “Wi-Fi First” mobile provider, summed it up during my interview with him: “Look, Scratch Wireless is a blast. I can’t imagine doing anything else. I love it here, I love the people that work here, we’re having a great time together, we make a lot of fun of each other, we take a lot of things very lightly but we take also the things that are important or serious very seriously as well. And we really hope to change the model for the cell phone services throughout the world.”